syntax = "proto3";
package quartermaster.v1;

import "google/protobuf/timestamp.proto";

service QuartermasterCredentials {
    rpc ProvisionDatabase (ProvisionDatabaseRequest) returns (ProvisionDatabaseResponse);
    rpc RotateCredential (RotateCredentialRequest) returns (RotateCredentialResponse);
    rpc RevokeCredential (RevokeCredentialRequest) returns (RevokeCredentialResponse);
    rpc GetCredentialRef (GetCredentialRefRequest) returns (GetCredentialRefResponse);
    rpc ListCredentials (ListCredentialsRequest) returns (ListCredentialsResponse);

    // Phase 8: Cloud credential provisioning via STS AssumeRole.
    rpc ProvisionCloudCredential (ProvisionCloudCredentialRequest) returns (ProvisionCloudCredentialResponse);
    rpc RevokeCloudCredential (RevokeCloudCredentialRequest) returns (RevokeCloudCredentialResponse);
    rpc GetCloudCredential (GetCloudCredentialRequest) returns (GetCloudCredentialResponse);
}

message ProvisionDatabaseRequest {
    string cluster_id = 1;
    string service_name = 2;
    string database_name = 3;
}

message ProvisionDatabaseResponse {
    string credential_id = 1;
    string secret_ref = 2;
    string secret_namespace = 3;
    google.protobuf.Timestamp issued_at = 4;
    bytes merkle_leaf = 5;
}

message RotateCredentialRequest {
    string credential_id = 1;
}

message RotateCredentialResponse {
    string new_credential_id = 1;
    string secret_ref = 2;
    google.protobuf.Timestamp issued_at = 3;
    bytes merkle_leaf = 4;
}

message RevokeCredentialRequest {
    string credential_id = 1;
}

message RevokeCredentialResponse {
    google.protobuf.Timestamp revoked_at = 1;
}

message GetCredentialRefRequest {
    string credential_id = 1;
}

message GetCredentialRefResponse {
    string credential_id = 1;
    string cluster_id = 2;
    string service_name = 3;
    string credential_type = 4;
    string username = 5;
    string database_name = 6;
    string secret_ref = 7;
    string secret_namespace = 8;
    google.protobuf.Timestamp issued_at = 9;
    google.protobuf.Timestamp expires_at = 10;
    bool revoked = 11;
}

message ListCredentialsRequest {
    string cluster_id = 1;
}

message ListCredentialsResponse {
    repeated GetCredentialRefResponse credentials = 1;
}

// Phase 8: Cloud credential provisioning messages.

message ProvisionCloudCredentialRequest {
    string tenant_id = 1;
    string workspace_name = 2;
    string operation_id = 3;
    string provider_type = 4;
    string role_arn = 5;
    string session_policy = 6;
    uint32 duration_seconds = 7;
    string external_id = 8;
}

message ProvisionCloudCredentialResponse {
    string credential_ref_id = 1;
    map<string, string> credentials = 2;
    google.protobuf.Timestamp expires_at = 3;
    string session_name = 4;
    bytes merkle_leaf = 5;
}

message RevokeCloudCredentialRequest {
    string credential_ref_id = 1;
}

message RevokeCloudCredentialResponse {
    google.protobuf.Timestamp revoked_at = 1;
}

message GetCloudCredentialRequest {
    string credential_ref_id = 1;
}

message GetCloudCredentialResponse {
    string credential_ref_id = 1;
    string tenant_id = 2;
    string provider_type = 3;
    string role_arn = 4;
    string session_name = 5;
    google.protobuf.Timestamp issued_at = 6;
    google.protobuf.Timestamp expires_at = 7;
    bool revoked = 8;
    bytes merkle_leaf = 9;
}